As a follow-up to an article I wrote earlier this year on the perils of HTML e-mail, today I’m looking at how to defeat e-mail tracking services that use Web bugs.

Web bugs are very small (often only one pixel) images on a Web site; HTML e-mail that includes the URL for these tiny images can record who opened the e-mail message at what time. If there is an instruction requiring automatic refresh of the image as part of the HTML code, is even possible to tell how long the e-mail message was left open on screen.

The service from DidTheyReadIt uses precisely this approach. As described on its Web site, users append “.didtheyreadit.com” to the e-mail address of someone whose e-mail reading habits they want to monitor. The company's servers convert messages to HTML, add a Web bug, and send your converted message to its destination. When a recipient using an HTML-tolerant e-mail reader opens or even previews the spyware-equipped document, the company's servers record when the Web bug was downloaded, the IP address of the reader, and how long the file was kept open. This information is then sent to the sender in an e-mail message.

Similar services are provided by MSGTAG and by ReadNotify.

Evidently, this entire system depends on HTML e-mail. In addition to the clumsy method of disconnecting from the ‘Net before opening HTML e-mail, there are already simple tools that destroy this functionality at little or no cost.

Wizard Industries makes Email-Tracking Blocker and sells it for $2.99, including a year of updates:
http://www.wizard-industries.com/trackingblocker.html

This 370K-byte utility needs to be run only once. According to the manufacturer, it works with any e-mail service and blocks all tracking services.

Email Sentinel Pro from DSDevelopment is freeware for individuals (non-commercial use) and shareware for corporations ($14.95 per seat):
http://www.emailaddressmanager.com/email_sentinel.html

This 815K-byte utility runs in the background to convert HTML e-mail messages into plain ASCII. It can be configured to handle attachments, can keep the original HTML messages in a quarantine buffer in case they are needed, can log its activities, works with any e-mail client, includes whitelist and contact-import, and requires no user interaction once it’s running. I tested this product and found that it worked fine with one of my e-mail accounts (an IMAP server) but failed with my backup account (a POP3 server). Not only was the message converted to plain text, but an embedded JPG image was converted to an attachment - very convenient and perfectly safe.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.